I have this hidden master DNS nameserver notifying and updating the two public slave DNS servers:
- my own VPS running Debian/Bind9 DNS
- 3rd-party secondary nameserver provider (afraid.org)
I finally got DNSSEC working with the hidden master and my public slave server (VPS).
Now I am searching high and low for a secondary nameserver service provider that can ALSO support DNSSEC. I couldn't find one. I couldn't understand why.
Then I saw this clue on GoDaddy Secondary NameServer wiki:
- "You cannot use both DNSSEC and Secondary DNS with the same domain name."
Why can't a 3rd party provide asecondary name server with DNSSEC?
Answer
As has been noted, the quoted statement is one service provider noting a limitation in their own service, it's not a universal truth.
All that is really needed to make what you ask for work is this:
- Slave nameserver gets an exact copy of the full zone data (including public keys, signatures, everything) such as what happens with a normal zone transfer (
AXFR
/IXFR
), and simply uses the received zone data verbatim, no mucking about with the data. - Slave nameserver software supports DNSSEC. Ie, supports EDNS0, knows to act on the DNSSEC-relevant flags in the header/EDNS0 fields (such as returning relevant
RRSIG
/NSEC
in responses to queries that request DNSSEC).
As for why the service provider referenced in the question cannot do this, you will really need to direct the question to them to get a proper answer.
Maybe they are using some custom or outdated nameserver software that cannot meet the above requirements? Maybe it's some kind of policy decision that is not even purely technical?
If you look at service providers that have more of a focus on DNS hosting, my impression is that requirements like the above are usually a non-issue (provided they have a slave nameserver option in the first place).
No comments:
Post a Comment